1. Field of the Invention
The present invention relates generally to a hardware cryptographic engine, and more particularly, to a hardware cryptographic engine.
2. Description of the Related Art
Users may transmit information using smart cards (or IC cards), Internet communications, wireless LAN communications and the like. Some of the transmissions may involve secret information for which security may be maintained. To this end, a hardware cryptographic engine may be implemented for encrypting the information. The encrypted information may be referred to as ciphertext. The hardware cryptographic engine may perform cryptographic algorithms with an appropriate key to produce the ciphertext.
Attackers, who seek unauthorized access to the information, may employ attack methods that focus on theoretical weaknesses of the cryptographic algorithms. These attack methods may allow an attacker to decrypt communications. Attack methods implementing theoretical approaches may have been successful in only very limited conditions.
Attackers may also employ attack methods that involve monitoring a physical property of the cryptographic operation. Such physical properties may include, for example, a difference of power consumption amounts and a time difference of performed operations. Attack methods based on monitoring a physical property may acquire keys (which are used by the cryptographic algorithm for encryption and decryption purposes) in less time and with less effort than attack methods based on theoretical weaknesses.
An encryption operation may be implemented by hardware (e.g., smart cards). Public key algorithms, such as RSA and ECC for example, may be implemented by hardware. In public key cryptography, a public key may be used to perform encryption operations. Symmetric key algorithms, such as the data encryption standard (DES) and the advanced encryption standard (AES) for example, may also be implemented by hardware. In both public key and symmetric key systems, it is desirable to keep secret information from an attacker.
FIG. 1 is a block diagram of a prior art hardware cryptographic engine that may perform a parallel processing technique. This hardware cryptographic engine may implement the DES algorithm (for example) by which two ciphertext engines 100, 200 may operate independently and in parallel to process encryption. The parallel ciphertext engines 100, 200 may respectively generate two identical ciphertexts (CRYPTA) from transmission data (TXD). Each of the ciphertext engines 100, 200 may generate the ciphertext (CRYPTA) from transmission data (TXD) via 16 round operations. That is, as shown in FIG. 1, each of the round blocks (rounds 1 through 16) may perform an encryption operation according to the DES algorithm using a predetermined key. All 16 rounds may be completed to generate the ciphertext (CRYPTA).
Keys may be used by the respective round blocks (rounds 1 through 16). The keys may be generated by a key schedule of an additional key generation algorithm. For example, if an 8-byte DES key is used, then the keys of rounds 1 through 16 may be generated. Depending on the particular application, the keys may be different from each other, the keys may be the same, and the keys may be private keys or open keys.
If ciphertexts (CRPTA) output from the two parallel ciphertext engines 100, 200 are identical, then the ciphertext (CRYPTA) may be transmitted to a desired destination node through a predetermined transmission module. However, if a fault occurs during the encryption operations, ciphertexts output respectively from the two parallel ciphertexts engines 100, 200 may not be identical. In this case, to prevent leakage of secret information, the ciphertext (CRYPTA) may not be transmitted to the destination node.
FIG. 2 is a schematic diagram of two round blocks depicted in FIG. 1. Each of the round blocks (rounds 1 through 16) of the first and the second ciphertext engines 100, (200) may include an encryption unit 120, (220) and an exclusive OR (XOR) logic 110, (210). When the first and the second ciphertext engines 100, 200 respectively encrypt transmission data (TXD) through 16 rounds and identical ciphertexts (CRYPTA) are output, the subsequent circuits may transmit the ciphertext (CRYPTA), which may be determined to not have a fault, to a destination node. When a mechanical fault occurs during the encryption operation, the ciphertexts (CRYPTA) output respectively from the two parallel ciphertext engines 100, 200 may not be identical. To prevent leakage of secret information, the ciphertext (CRYPTA) may not be transmitted to the destination node.
The prior art device depicted in FIG. 1 is not without shortcomings. For example, respective faults may occur in identical locations of the first and the second ciphertext engines 100, 200. As shown in FIG. 2, the respective faults may transform an original ciphertext A into a faulted ciphertext A′ in the block of the ciphertext engine 100 and the block of the ciphertext engine 200. In this case, notwithstanding the faults, the final ciphertexts (CRYPTA) output respectively from the two parallel ciphertext engines 100, 200 may still be identical, and the ciphertext (CRYPTA) may be transmitted to a destination node. This may lead to secret information being leaked out from the hardware cryptographic engine. For example, the mechanical fault occurring in the hardware cryptographic engine may be generated by an unauthorized hacker. The hacker may then find keys used in the algorithm by analyzing the ciphertexts having the fault.
Research on the possibility of these fault attacks by hackers has been conducted, and example cases were announced by Infineon Technologies. Among these fault attack, there is a differential fault attack (DFA). The DFA may be misused (as a secret information acquiring means) by hackers desiring to obtain keys through a ciphertext having a fault (fault message) in a symmetrical algorithm such as the DES (for example).
According to conventional wisdom, leakage of secret information by the DFA may be prevented by performing an identical encryption twice. The resulting values of the encryptions may be compared. If the resulting values are different from each other, then encryption may be performed again so that a fault may be prevented. Another conventional method involves inputting a ciphertext through a communication line. The ciphertext may be stored and decoded. The decoded data may be again encrypted and compared with the ciphertext received through the communication line. Although these conventional techniques are generally thought to provide acceptable results, they are somewhat cumbersome since they involve comparing the results of operations performed twice. Furthermore performing operations twice may take a significant amount of time, thereby lowering the operation speed of a system.